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The microprocessor 1 138 also interacts with other device subsystems, such as the display 
1122, Flash memory 1 124, RAM 1126, auxiliary input/output (I/O) subsystems 1 128, serial port 
1130, keyboard 1132, speaker 1134, microphone 1136, a short-range communications subsystem 
1 140 and any other device subsystems generally designated as 1142. 

Some of the subsystems shown in Fig. 11 perform communication-related functions, 
whereas other subsystems may provide "resident" or on-device functions. Notably, some 
subsystems, such as keyboard 1 132 and display 1 122 may be used for both communication- 
related functions, such as entering a text message for transmission ov&t a data communication 
network, and device-resident functions such as a calculator or task list or other PDA type 
Amotions. 

Operating Systran software used by die microprocessor 1138 is preferably stored in a 
persistent store such as Flash memory 1124. In addition to tilie operating system, which controls 
low-level functions of the mobile device 1 HQ, the Flash memory 1124 may include a plurality of 
high-level software application programs, or modules, such as a voice conununication module 
1 124A, a data communication module 1 124B, an organizer module (not shown), or any other 
^pe of software module 1124N. These modules are executed by die microprocessor 1138 and' 
provide a high-level interface between a user and the mobile device 1(X). This interface typically 
includes a graphical component provided through die display 1122, and an input/ou^ut 
component provided through die auxiliary VO 1 128, keyboard 1 132, speaker 1134, and 
microphone 1 136. The opraating system, specific device applications or modules, or parts 
thereof, may be tenq>orariIy loaded into a volatile store, such as RAM 1 126 for faster operation. 
Moreover, received communication signals may also be temporarily stored to RAM 1126, before 
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permanently writing them to a file system located in a persistent store such as the Flash memory 
1124. 

An exemplary application module 1 124N that miay be loaded onto the mobile device 100 
is a personal information manager (PM) application providing PDA functionality, such as 
calendar events, appointments, and task items. This module 1 124N may also interact with the 
voice communication module 1124A for managing phone calls, voice mails, etc., and may also 
interact with die data communication module for managing e-mail conununications and otbsx 
data transmissions. Alternatively, aU of the functionality of die voice conununication module 
1 124A and the data communication module 1 124B may be integrated into the PIM module. 

The Flash memory 1 124 preferably also provides a file system to j^litate storage of 
PIM data items on the device. The PIM application preferably includes tiie abilily to send and 
receive data items, either by itself, or in conjunction witii the voice and data communication 
modules 1 124A, 1 124B, via the wireless networks 1119. The PIM data items are preferably 
seamlessly integrated, synchronized and updated, via the wireless networks 1119, with a 
corresponding set of data items stored or associated with a host computer system, thereby 
creating a mirrored system for data items associated with a particular user. 

Decrypted session keys or otiier encryption accessing information is preferably stored on 
the mobile device 100 in a volatile and non-persistent store such as the RAM 1126. Such 
information may instead be stored in the Hash memory 1124, for example, when storage 
intervals are relatively short, such that the information is remoyed from memory soon after it is 
stored. Howev^,- storage of diis information in tiie RAM 1 126 or another volatile and non- 
pemstent store is preferred, in order to ensure that the information is erased from memory when 
the mobile device 100 loses power. This prevents an unauthorized party from obtaining any 
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Stored encryption accessing information such as a decrypted session key by removing a memory 
chip from the mobile device 100, for example. 

The mobile device 100 may be manually synchronized with a host system by placing the 
device 100 in an interface cradle, which couples the serial port 1130 of the mobile device 100 to 
the serial port of a computer system or device. The serial port 1 130 may also be used to enable a 
user to set preferences throu^ an external device or software application, or to download other 
application modules 1124N for installation. This wired download path may be used to load an 
encryption key onto the device, which is a more secure meUiod than exchan^ng encryption 
information via the wireless network 1 1 19. Interfaces for other wired download paths may be 
provided in the mobile device 100, in addition to or instead of the serial port 1 130. For example, 
a USB port would provide an interface to a similarly equipped phonal compute. 

Additional application modules 1 124N may be loaded onto the mobile device 100 
through the networks 1 1 19, through an auxiliary I/O subsystem 1128, through the serial port 
1 130, through the short-range communications subsystem 1 140, or through any other suitable 
subsystem 1 142, and installed by a user in flie Flash memory 1 124 or RAM 1 126. Such 
flexibility in application installation increases the functionality of the mobile device 100 and may 
provide enhanced on-device functions, conmiunication-related functions, or both. For example, 
secure communication applications may enable electronic commerce functions and otiier such 
financial transactions to be performed using the mobile device 100. 

When the mobile device 100 is operating in a data communication mode, a received 
signal, such as a text message or a web page download, will be processed by the transceiver 
module 1111 and provided to the microprocessor 1 138, which will preferably further process the 
received signal fat output to the display 1122, or, alternatively, to an auxiliary I/O device 1128. 
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A user of mobile device 100 may also compose data items, such as e-mail messages, using the 
keyboard 1 132, which is preferably a complete alphajiumeric keyboard laid out in the QWERTY 
style, although other styles of complete alphanumeric keyboards such as the known DVORAK 
style may also be used. User input to the mobile device 100 is further enhanced with a plurality 
of auxiliary I/O devices 1 128, which may include a thumbwheel input device, a touchpad, a 
variety of switches, a rocker input switch, etc. The composed data items input by the user may 
then be transmitted over the communication networks 1 119 via the transceiver module 1111. 

When the mobile device 100 is operating in a voice communication mode, the overall 
operation of the mobile device is substantially similar to the data mode, except that received 
signals are preferably be output to the speaker 1134 and voice signals for transmission are 
generated by a microphone 1 136. Alternative voice or audio 1/0 subsystems, such as a voice 
message recording subsystem, may also be implemented on the mobile device 100. Although 
voice or audio signal ou^ut is preferably accomplished primarily fiurough the speaker 1 134, the 
display 1 122 may also be used to provide an indication of the identity of a calling party, the 
duration of a voice caU, or odier voice call related infonnation. For example, the microprocessor 
1138, in conjunction with the voice communication module and the operating system software, 
may detect the caller identification infonnation of an incoming voice call and display it on the 
display 1122. 

A short-range communications subsystem 1140 may also be included in the mobile 
device 100. For example, the subsystem 1140 may include an infrared device and associated 
circuits and components, or a short-range RF communication module such as a Bluetooth'^ 
module or an 802.11 module to provide for communication wifli similarly-enabled systems and 
devices. Those skilled in the art will appreciate that "Bluetooth" and "802.11" refer to sets of . 
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specifications, available from the Institute of Blectiical and Electronics Engineeis, relating to 
wireless personal area networks and wireless local area networks, respectively. 
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1. A method for processing encrypted messages at a wireless mobile conununication device, 
comprising the steps of: 

receiving at the wireless mobile communication device an encrypted message 
comprising at least one enciypted session key and encrypted content; 
accessing the encrypted message; 

identifying an individual encrypted session key associated with the wireless 
mobile conununication device; 

. ■ decrypting the individual encrypted session key; and 

storing the decrypted session key to m&naoty; 

wherein the stored decrypted session key is used to decrypt the encrypted content 
■ of ihe encrypted message where the encrypted content is subsequently accessed. 

* 

2. The method of claim 1, wherein the encrypted message is received by the wireless mobile 
communication device through a wireless infrastructure and a wireless network. 

3. The method of claim 2, wherein a message server transmits the encrypted message through 
the wireless infrastructure and the wireless network to the wireless mobile conununication 
device. 

4. The method of .claim 3, wherein the message server receives the encrypted message from a 
message sender. 

49 



wo H3/007570 PCT/CA()2/«l(»f.» 

5. Hie method of claim 4, wherein the wireless mobile communication device requests in a pull 
message access scheme that stored messages be forwarded by the message server to the wireless 
mobile communication device. 

6. The method of claim 4, wherein the message server routes the encrypted message to the 
wireless mobile communication device when the encrypted message is received at the message 
server, and wherein the encrypted message is addressed by the message sender using a specific e- 
mail address associated with the wireless mobile communication device. 

7. The method of claim 4, wherein the message server redirects the encrypted message to the 
wireless mobile communication device. 

8. The method of claim 4, wherein the message server comprises means for redirecting the 
encrypted message, to the wueless mobile conununication device. 

9. The method of claim 8, wherdn, before tihie encrypted message is redirected to the wireless 
mobile communicatiott device, a redirection program re-envelopes the encrypted message so as 
to maintain the addressing information of the encrypted message. 

10. The method of claim 9, wherein the redirection program re-envelopes the encrypted message 
so as to allow a reply message generated by the wireless mobile coimnunication device to reach 
die message sendrar. 
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11. The jneJhod of claim 1, further comprising, after die step of identifying, the steps of: 

determining whether the encrypted session key has been decrypted and stored to 
the memory; and 

retrieving the decrypted session key from the memory and using the stored 
decrypted session key to decrypt the encrypted content of the encrypted content where the 
encrypted session key has been decrypted and stored to the memory. 

12. The method of claim 11, wherein the steps of decrypting and storing are performed where 
the encrypted session key has not been decrypted and stored to the memory. 

13. The method of claim 1, wherein certificate information of a user of the wireless mobile 
communication device is transferred to the wireless mobile communication device through a 
wireless mobile communication device information transfer means. 

14. The method of claim 13, wherein the wireless mobile communic^on device information 
transfer means comprises a wireless communication module. 

15. The method of claim 14, wh^in the wireless communication module is selected from the 
group consisting of: an infrared device, a Bluetooth module, and an 802.11 module. 
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16. The method of claim 1, wherein certificate levocation lists aze transferred to the wireless 
mobile communication device through a witeless mobile communication device information 
transfer means. 

17. The method of claim 16, wherein the wireless mobile communication device information 
transfer means comprises a serial port or a Universal Serial Bus (USB) port 

18. The method of claim 16, wherein the wireless mobile communication device information 
transfer metos comprises an injErared device, a Bluetooth module, or an 802.1 1 module. . 

19. The method of claim 1, wherein the encrypted message is received by the wireless mobile 
communication device through means for providing a wireless ioGrastructure and through means 
for providing a wireless network. 

20. The method of claim 19, wherein means for providing a message server transmits the- 
encrypted message through the means for providing the wireless infrastructure to the wireless 
mobile communication device. 

21 . The method of claim 20, wherdn the means for providing a message server receives the 
encrypted message from a message sender. 

22. The method of claim 1, wherein a message server transmits the encrypted message through a 
wireless infrastructure and a wireless network to the wireless mobile communication device, 
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wherein the encrypted message comprises a plurality of encrypted session keys, wherein the 
message determines the encrypted session key associated with the wireless mobile 
communication device, and wherein the message server reorganizes the encrypted message such 
that the encrypted message is sent to the wireless mobile communication device without 
containing at least one encrypted session key that is not associated with the wireless mobile 
conmiunication device. 

23. The method of claim 22, wherein the encrypted message comprises a digital signature, and 
wherein the message server verifies the digital signature and sends to the wireless mobile 
conmiunication device a result of the digital signature verification. 

24. The method of claim 1, wherein the encrypted message comprises a plurality of encrypted 
session keys, wherein the encrypted session keys are associated with different recipients, and 
wherein the encrypted message is reorganized prior to transmission to the wireless mobile 
conmiunication device such that the encrypted message is transmitted to the wireless mobile 
communication device containing only the encrypted session key associated with the wireless 
mobile communication device. 

25. The method of claim 24, wherein the encrypted message conqirises a distal signature, and 
wherein the message server verifies the digital signature and sends to the wireless mobile 
communication device the result of the digital signature verification. 
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26. The method of claim 1, wherein the encrypted session key is a one-time session key that is 
gen^ted and used for the encrypted message. 



27. The method of claim 26, wherein the session key was encrypted using a pablic key 
associated with the wireless mobile communication device. 

28. The method of claim 27, wherein the encrypted message was addressed to more than one 
receivers, and wherein the same session key is encrypted using a public key associated with each 
receiver. 

29. The method of claim 1, whraein the encrypted content was encrypted using a session key 
and encryption algorithm, and whereiiL a public key cryptographic algorithm was used to encrypt 
the session key to generate the encrypted session key. 

30. The mediod of claim 1, wherein the encrypted message was encrypted using Secure 
Multipurpose Internet Mail Extensions (S/MIME) techniques. 

31. The method of claim 1, wherein the encrypted message was encrypted using Pretty Good 
Privacy techniques. 

32. The method of daim 1, wherein the encrypted message was encrypted using OpenPGP 
techniques. 
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33. The method of claim 1, wherein the encrypted message comprises a digital signature. 



34. The method of claim 1, wherein the encrypted message comprises an e-mail message. 

35. The method of claim I, wherdn the decrypted session key is removed from the memory 
after a preselected time has elapsed. 

36. The method of claim 35, wherein the preselected time is selected by the user. 

37. The method of claim 1, wherein the decrypted session key is removed from the memory 
based upon a characteristic associated with the encrypted message. 

38. The method of claim 37, wherein the decrypted session key is removed from the memory 
based upon electrical power being removed fix>m the wireless mobile communication device. 

39. The method of claim 37, wherein the characteristic comprises the Identity of a sender of the 
encrypted message. 

40. llie method of daim 39, wher^ the identity of the sender of the encrypted message 
comprises an e-mail address of the sender. 

41. The method of claim 1, wherein the decrypted session key is removed from Ae memory 
based upon a sensitivity level of the encrypted message. 
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42. The method of claim 41, wh^n the sensitivity level is detennined based upon a subject 
line contained within the encrypted message. 

43. The method of claim 41, wherein the sensitivity level is determined based upon the 
encrypted content. 

44. The method of claim 1, further comprising the step of: 

setting a disabling flag so that the decrypted session key is not continuously 
stored in die memory for use in additional accesses of the encrypted contraif 

45. The method of claim 1, further comprising the step of: 

setting a disabling flag so that the decrypted session key is removed from the 
memory after accessing the encrypted content 

46. The method of daim 1, wherein the decrypted session key is stored to a volatile memory of 
the wireless mobile communication device. 

47. Hie method of claim 1, wherein the decrypted session key is stored to a volatile and non- 
persistent memory of the wireless mobile communication device. 



48. The method of claim 1, wherein the decrypted session key is stored to a random access 
memory (RAM) of the wireless mobile communication device. 
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49. The method of claim 1, wherein a user of the wireless mobile commanication device eaters 
security information in order to have the encrypted session key decrypted. 

50. The method of claim 49, wherein the security information comprises a password. 

51. An apparatus for processing encrypted messages at a wireless mobile communication 
device, comprising: 

means for receiving an encrypted message comprising at least one encrypted 
session key and encrypted content; 

means for accusing the encrypted message; 

means for identifying an individual encrypted session key associated with the 
wireless mobile communication device where the encrypted message is accessed by the means 
for accessing; 

means for decrypting the individual encrypted session key; and 

means for storing the decrypted session key to memory: 

wherein the stored decrypted session key is used to deraypt the encrypted content 
of the encrypted message where the encrypted content is subsequently accessed by the means for 
accessing. 

52. Computer software stored on a compute* readable medium, the computer software 
comprising program code for carrying out a method that processes an encrypted message at a 
wireless mobile communication device when the encrypted message is accessed, said encrypted 

57 



wo 03/007570 PCT/CA()2/(M(lf>» 

message containing at least one encrypted session key and encrypted content, said method 
comprising the steps of: 

identifying an individual encrypted session key associated with the wireless 
mobile conmninication device where the encrypted message is accessed by the means for 
accessing; 

decrypting the individual encrypted session key; 
storing the decrypted session key to memory; and 

using the stored decrypted session key to decrypt the encrypted content wh^ the 
encrypted content is accessed multiple times. 

53. An apparatus on a wireless mobile conununication device for handling multiple accesses to 
encrypted content, wherein an mcrypted message includes the encrypted content and further 
includes encryption accessing information, and wherein the encrypted message is transmitted to 
the wireless mobile commimication device, the apparatus comprising: 

a storage software module that stores tiie encryption accessing information in 
memory which is volatile and non-persistent, wherein the encryption accessing information 
allows access to the encrypted content; and 

an accessing software module that retiieves from the memory the encryption 
accessing information, 

wherein the retrieved encryption accessing information is used to decrypt the 
encrypted contmt where the encrypted content is accessed multiple times. 
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54. The apparatus of claim 53, wherein the encryption accessing information comprises a 
session key. 



55. The apparatus of claim 53, wherein the encrypted message further comprises a digital 
signature, wherein the storage software module stores, in die memory, verification information 
about the digital signature, and wherein the software accessing module retrieves from the 
memory the verification information when the encrypted content is accessed multiple times. 

56. The apparatus of claim 55, further comprising a data structure stored in the memory for 
containing the verification information and the encryption accessing information. 

57. The apparatus of claim 56, wh^n the wireless mobile conmiunication device receives a 
plurality of encrypted messages, and wherein the data structure associates which encryption 
accessing information is associated with which message. 

58. The apparatus of claim 57, wherein the data structure associates which verification 
information is associated with which message. 
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